Re: OAuth client and server demos
Yes, it helps. For me it looks good to associate permissions and scope with access token. I think I will do something similar in cxf. Btw, I've updated resteasy recently and saw changes in oauth module.:) Cheers, Lukasz 2010/8/18 Sergey Beryozkin > Hi Łukasz > > 2010/8/16 Łukasz Moreń > > > Hi, > > > > I've made changes in demo according to your comments. > > > > thanks. > > > > I will do 'gsoc' tag on my branch to distinguish current gsoc work from > > future changes, as today is 'firm pencil down' date. > > > > ok. > > > > I would like to do additional changes in oauth module. > > > > nice :-). > > > > Access token should be connected with some kind of 'scope' that specifies > > a range of resources it allows to access or operations to invoke. > > > > For example in RestEasy implementation access token is associated with > set > > of principal roles. > > If there is valid access token in the request, oauth filter set user > roles > > associated with token to ServletRequest and let pass it further. > > > > I'm wondering how it can be done in cxf. I would appreciate some help on > > that. > > > > > Believe it or not but I've changed all that as part of the work I've been > doing recently. > Specifically, I've removed the association of roles & principal with access > tokens. > Instead I've introduced permissions which is really what can be requested > by > a consumer and publicly > shown to the end user, example, "Are you ok with letting 3rd party consumer > "doSomething" with your resources" ?. where "doSometing" can be pretty much > any expression like "updateYourAlbom", etc, while roles could be "user", > etc. > > It is then a job of filters/login modules/etc to convert permissions into > the actual roles, as well as retrieve an authenticated Principal. > > I've also added "scopes" which are URIs, which I 'borrowed' from the Google > docs. Example, a consumer may request a permission to "doSomething" at > http://bar. If authorized it can access http://bar, http://bar/1, > http://bar/2 > > Does it help ? Any comments ? > > cheers, Sergey > > > Cheers, > > Lukasz > > > > 2010/8/14 Łukasz Moreń > > > > > Hi Sergey, > > > > > > Thanks for feedback. More comments below. > > > > > > 2010/8/13 Sergey Beryozkin > > > > > >> Hi Lucasz > > >> > > >> > > >> 2010/8/13 Łukasz Moreń > > >> > > >> > Hi Sergey, > > >> > > > >> > I've added some improvements to demo and protocol implementation. > > >> > I hope this time build will be fine. > > >> > > > >> > > > >> I've had no problems building this time. Thanks for sorting the build > > >> issues > > >> out. > > >> The only minor hitch is that I had to add > > >> ../../pom.xml > > >> to both oauth client & server demo modules in order to build them. Not > > >> sure > > >> if I could've built them by running > > >> 'mvn install' from samples directly (in > > distribution/target/.../samples) > > >> given that we also have to use -Pspring3. Not a big issue - please > > recheck > > >> just in case... > > >> > > > > > > Yes, I think I need to add relativePath to pom. > > > > > > > > >> > > >> So I've started server and client web apps and run the demo easily. So > > >> it's > > >> all nearly there, and IMHO the project is in a good shape, as far as > > GSOC > > >> is > > >> concerned. Hopefully you can continue on preparing it to the move to > the > > >> trunk :-) > > >> > > >> Here're some comments to the existing demo - see if you could do > > anything > > >> till 16th, if not then it can be dealt with later on. > > >> > > >> > > > I will try do to as much as possible till 16-th. There is still plenty > to > > > do as I see from your commnets and > > > myself so missing things I will add later. > > > > > > > > > > > >> The client registration form requires a user to register a callback > URI. > > >> But > > >> I understand that a callback URI is only provided by a client, when > > >> requesting a temp/request token ? That said, requiring what I'd call a > > >> 'connect' or "reply-to" URI registered during the (secure) client > > >> registration process may help with enforcing that the actual callback > > URI > > >> provided by the client *matches* the one provided at the registration, > > >> using > > >> a startsWith function. I've seen it in the Facebook docs and I also > did > > >> something similar in my own project - is this the idea ? > > >> > > > If yes - then please check it's a startsWith check that is used - but > > also > > > > > > consider making providing a callback URI optional at the client > > >> registration > > > > > > time > > > > > > > > > Yes, i used it for that reason. It can be jus passed with request token > > > request. All current OAuth 1.0 servers I've seen need to preregister > > > callback URI, > > > and as you said they check if both uri matches. > > > There is also possibility to pass 'oob' (out of band) value as callback > > URI > > > which means has been established via other means, > > > so then server use preregistered value. Ho
Regressions in WS-Trust 10 interopfest demo
Hi I'm seeing all sorts of problems when running samples/ws_security/interopfest/wstrust10, both in 2.3.0-SNAPSHOT and on 2.2.x. I did run the demo last week and it worked for me but today it is just all failing. In 2.3.0-SNAPSHOT I had to update the version of maven-ant-run plugin to 1.4 just to get the build working, but besides that I'm seeing some strange errors like java.lang.NoSuchMethodError: org.apache.cxf.ws.security.trust.STSClient.setPolicy(Lorg/apache/neethi/Policy;)V at org.apache.cxf.ws.security.policy.interceptors.SecureConversationTokenInterceptorProvider.setupClient(SecureConversationTokenInterceptorProvider.java:167) even though I can see STSClient.setPolicy(Object policy) method... In 2.2.x, the problem is that CXF version gets resolved to 2.3.0-SNAPSHOT, setting the version to 2.2.11-SNAPSHOT results in the async binding test failures. Can someone please give it a try and confirm it is just not me only ? Now, assuming there're regressions, I'd have to start investigating. Given that I'm a bit raw so to say in this area, any help will be appreciated thanks, Sergey
RE: whether support for imported xsd in static wsdl as well as xsd's that import other xsd's implemented in cxf???
Hi Dan, Kindly help us to understand below points. 1)As u explained in below mail, Generated wsdl should show just import statements for xsds but actually it is inlining those xsds with cxf-2.2.8? 2) We tried to implement schema validation with cxf-2.2.8. it is doing validation for integer types but not for elements with enumarations. What needs to be done to enable validation for enumaration ? Code used for schema valication in cxf-servlet.xml: http://service.mycomp.com/provider/userservices/assets/st/x2005/}SoftInfoPortType"; createdFromAPI="true"> http://service.mycomp.com/provider/userservices/assets/st/x2005/"; id="publishedEndpointUrl2" address="/GetSoftInfoService" serviceName="st:GetSoftInfoService" endpointName="st:SoftInfoPortType" implementor="com.mycomp.service.provider.userservices.assets.st.x2005.SoftInfoPortTypeImpl"> Regards vishy -Original Message- From: Daniel Kulp [mailto:dk...@apache.org] Sent: Thursday, August 19, 2010 1:31 AM To: dev@cxf.apache.org Cc: Edumudi Viswanath; us...@cxf.apache.org Subject: Re: whether support for imported xsd in static wsdl as well as xsd's that import other xsd's implemented in cxf??? On Wednesday 18 August 2010 7:26:54 am Edumudi Viswanath wrote: > Dan, > > > > We are interested to know whether support for imported xsd in static wsdl > as well as xsd's that import other xsd's is implemented in CXF? It definitely should be, yea. Both wsdl4j and XmlSchema that we use for schema level things support those types of things just fine. Dan > > > > By googling, we came to know "support for imported xsd in static wsdl as > well as xsd's that import other xsd's" is implemented in Spring WS. The > below links will discuss on this. Kindly have a look. > > https://jira.springsource.org/browse/SWS-281?page=com.atlassian.jira.plugin > .system.issuetabpanels%3Aall-tabpanel#issue-tabs > > https://jira.springsource.org/browse/SWS-346 > > > > > > Thanks & Regards, > > Oracle logo.gif > > Edumudi Venkata Viswanath | Senior Consultant | +91 20 3984 7491 (O) | > 9665045854 (M) Oracle Financial Services Software Limited | Ambrosia, > Pune, India > > > > Oracle Financial Services Software Limited was formally i-flex solutions > limited. -- Daniel Kulp dk...@apache.org http://dankulp.com/blog
Re: Regressions in WS-Trust 10 interopfest demo
All of those NoSuchMethodError exceptions have been probably caused by the fact I was building sandbox projects depending on outdated 2.3-SNAPSHOT views, so after removing the cxf artifacts from the maven repo I can the exceptions gone. However, it does appear we have a regression in scenarios 9 and 10 : Scenario_9_IssuedTokenForCertificate_MutualCertificate11: Exception: javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message. Scenario_10_IssuedTokenForCertificateSecureConversation_MutualCertificate11: Exception: javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message. Has anyone worked in this area recently ? I'm going to start looking into it as well... cheers, Sergey On Thu, Aug 19, 2010 at 11:55 AM, Sergey Beryozkin wrote: > Hi > > I'm seeing all sorts of problems when running > samples/ws_security/interopfest/wstrust10, both in 2.3.0-SNAPSHOT and on > 2.2.x. > I did run the demo last week and it worked for me but today it is just all > failing. > > In 2.3.0-SNAPSHOT I had to update the version of maven-ant-run plugin to > 1.4 just to get the build working, but besides that I'm seeingucuch > some strange errors like > > java.lang.NoSuchMethodError: > org.apache.cxf.ws.security.trust.STSClient.setPolicy(Lorg/apache/neethi/Policy;)V > at > org.apache.cxf.ws.security.policy.interceptors.SecureConversationTokenInterceptorProvider.setupClient(SecureConversationTokenInterceptorProvider.java:167) > > even though I can see STSClient.setPolicy(Object policy) method... > > In 2.2.x, the problem is that CXF version gets resolved to 2.3.0-SNAPSHOT, > setting the version to 2.2.11-SNAPSHOT results in the async binding test > failures. > > Can someone please give it a try and confirm it is just not me only ? Now, > assuming there're regressions, I'd have to start investigating. Given that > I'm a bit raw so to say in this area, any help will be appreciated > > thanks, Sergey > >
RE: Regressions in WS-Trust 10 interopfest demo
In order to get any of them to run I had to do major surgery on the modules. Microsoft moved servers and changed TLS certificates. Furthermore, the version numbers don't line up correctly like you said and all sorts of headaches result. I recently made changes to WS-T related code and had the tests working as best I could tell, but they are still really brittle and I may have introduced a regression. I made a note of what I had to do in https://issues.apache.org/jira/browse/CXF-2909. There needs to be some effort expended in getting these updated, but I couldn't find any information about the MS servers in order to accurately update interopfest's configuration. -Original Message- From: Sergey Beryozkin [mailto:sberyoz...@gmail.com] Sent: Thursday, August 19, 2010 8:14 AM To: dev@cxf.apache.org Subject: Re: Regressions in WS-Trust 10 interopfest demo All of those NoSuchMethodError exceptions have been probably caused by the fact I was building sandbox projects depending on outdated 2.3-SNAPSHOT views, so after removing the cxf artifacts from the maven repo I can the exceptions gone. However, it does appear we have a regression in scenarios 9 and 10 : Scenario_9_IssuedTokenForCertificate_MutualCertificate11: Exception: javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message. Scenario_10_IssuedTokenForCertificateSecureConversation_MutualCertificate11: Exception: javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message. Has anyone worked in this area recently ? I'm going to start looking into it as well... cheers, Sergey On Thu, Aug 19, 2010 at 11:55 AM, Sergey Beryozkin wrote: > Hi > > I'm seeing all sorts of problems when running > samples/ws_security/interopfest/wstrust10, both in 2.3.0-SNAPSHOT and on > 2.2.x. > I did run the demo last week and it worked for me but today it is just all > failing. > > In 2.3.0-SNAPSHOT I had to update the version of maven-ant-run plugin to > 1.4 just to get the build working, but besides that I'm seeingucuch > some strange errors like > > java.lang.NoSuchMethodError: > org.apache.cxf.ws.security.trust.STSClient.setPolicy(Lorg/apache/neethi/Poli cy;)V > at > org.apache.cxf.ws.security.policy.interceptors.SecureConversationTokenInterc eptorProvider.setupClient(SecureConversationTokenInterceptorProvider.java:16 7) > > even though I can see STSClient.setPolicy(Object policy) method... > > In 2.2.x, the problem is that CXF version gets resolved to 2.3.0-SNAPSHOT, > setting the version to 2.2.11-SNAPSHOT results in the async binding test > failures. > > Can someone please give it a try and confirm it is just not me only ? Now, > assuming there're regressions, I'd have to start investigating. Given that > I'm a bit raw so to say in this area, any help will be appreciated > > thanks, Sergey > >
Re: Regressions in WS-Trust 10 interopfest demo
It might be me. For SAML references, I switched to KeyIdentifier instead of wsse:reference because that's what a Metro web service was expecting, also that was in harmony with the relevant specifications, as discussed here[1]. To be two-thirds complete, another patch in WSS4J will need to be applied[2]. I'm trying to get CXF's stsclient to work with a Metro STS, and also have the subsequent security token received by the client to work with a Metro web service (basically, swap a Metro client with a CXF one here[3]). The older wsse:reference (at least when used to refer to SAML tokens) is not being accepted by Metro, and the Metro team appears to have the support of the relevant OASIS specifications (that probably postdate considerably the interopfest stuff we test against) that pretty much mandate KeyIdentifier in these situations (as discussed in [1]). Without this change, CXF's stsclient will not be able to work with a Metro STS, nor will the subsequent SOAP call be accepted by a Metro web service either. Granted, though, even with this change, it still won't work, as more work is needed as explained in [2] for WSS4J to understand the SOAP response returned by the Metro web service. (My changes only handle the successful acceptance of the sts request by the CXF stsclient and the subsequent SOAP request to the Metro web service, part three of getting WSS4J of understanding the Metro SOAP response with a SAML token using KeyIdentifier instead of wsse:Reference is still uncoded, as that's a bit outside my present skillset.) You can revert it in order to pass the tests (if that is indeed the problem), but you'll be back to square #1 of cxf's stsclient not being able to work with a Metro STS, greatly stunting its usefulness and harming the growth of SOAP web services in general. Next issue (since you work with RedHat): There's also a PicketLink STS -- I don't know what it is expecting for SAML assertions -- the modern KeyIdentifier or the bring-out-the-78rpm wsse:Reference, if the former, that would also speak against reverting the changes I made, if the latter, maybe I can get the Metro team to work with wsse:Reference but again the spec appears to be very much on their side. Glen [1] https://issues.apache.org/jira/browse/CXF-2894 [2] https://issues.apache.org/jira/browse/WSS-238 [3] http://www.jroller.com/gmazza/entry/metro_and_wstrust Sergey Beryozkin-5 wrote: > > All of those NoSuchMethodError exceptions have been probably caused by the > fact I was building sandbox projects depending on outdated 2.3-SNAPSHOT > views, so after removing the cxf artifacts from the maven repo I can the > exceptions gone. > > However, it does appear we have a regression in scenarios 9 and 10 : > > Scenario_9_IssuedTokenForCertificate_MutualCertificate11: Exception: > javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying > security for the message. > Scenario_10_IssuedTokenForCertificateSecureConversation_MutualCertificate11: > Exception: javax.xml.ws.soap.SOAPFaultException: An error occurred when > verifying security for the message. > > Has anyone worked in this area recently ? I'm going to start looking into > it > as well... > > cheers, Sergey > -- View this message in context: http://cxf.547215.n5.nabble.com/Regressions-in-WS-Trust-10-interopfest-demo-tp2640748p2641132.html Sent from the cxf-dev mailing list archive at Nabble.com.
Jira for security advisory
Is there any jira for the security advisory decribed here: http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf I am looking for the patch that was applied to fix this issue. I have a branch of the 2.1.x line that does not contain the security fix and I am looking to patch this branch. Regards, Seumas
Re: Jira for security advisory
On Thursday 19 August 2010 2:20:58 pm Seumas Soltysik wrote: > Is there any jira for the security advisory decribed here: > http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf I am > looking for the patch that was applied to fix this issue. > > I have a branch of the 2.1.x line that does not contain the security fix > and I am looking to patch this branch. We didn't open a JIRA as it was fixed long before we could make it public. Filing a JIRA would have made it public before we were ready. In anycase, the commit was: r948131 | dkulp | 2010-05-25 13:52:01 -0400 (Tue, 25 May 2010) | 1 line Turn off DTD and Entity expansion stuff in the XMLStreamReaders -- Daniel Kulp dk...@apache.org http://dankulp.com/blog
Re: whether support for imported xsd in static wsdl as well as xsd's that import other xsd's implemented in cxf???
On Thursday 19 August 2010 7:53:58 am Edumudi Viswanath wrote:
> Hi Dan,
>
> Kindly help us to understand below points.
>
> 1)As u explained in below mail, Generated wsdl should show just import
> statements for xsds but actually it is inlining those xsds with cxf-2.2.8?
Because that is the way we decided to do it, is the most performant (less hits
to the server), and generally works best when serving up wsdl. When using the
java2ws command line tool, there is an option (-createxsdimports) to have it
split the schemas into separate files. It's just not the default.
> 2) We tried to implement schema validation with cxf-2.2.8. it is doing
> validation for integer types but not for elements with enumarations. What
> needs to be done to enable validation for enumaration ?
If that's not working but integer validation is, it's probably a bug in the
schema validator built into the JDK or in JAXB. Fundamentally, that's all
that we do. We have it create a Schema object that we pass to JAXB and JAXB
uses that.
Dan
>
> Code used for schema valication in cxf-servlet.xml:
> name="{http://service.mycomp.com/provider/userservices/assets/st/x2005/}So
> ftInfoPortType" createdFromAPI="true">
>
>
>
>
> xmlns:st="http://service.mycomp.com/provider/userservices/assets/st/x2005/
> " id="publishedEndpointUrl2" address="/GetSoftInfoService"
> serviceName="st:GetSoftInfoService" endpointName="st:SoftInfoPortType"
> implementor="com.mycomp.service.provider.userservices.assets.st.x2005.Soft
> InfoPortTypeImpl">
> value="true" />
>
>
> Regards
> vishy
>
> -Original Message-
> From: Daniel Kulp [mailto:dk...@apache.org]
> Sent: Thursday, August 19, 2010 1:31 AM
> To: dev@cxf.apache.org
> Cc: Edumudi Viswanath; us...@cxf.apache.org
> Subject: Re: whether support for imported xsd in static wsdl as well as
> xsd's that import other xsd's implemented in cxf???
>
> On Wednesday 18 August 2010 7:26:54 am Edumudi Viswanath wrote:
> > Dan,
> >
> >
> >
> > We are interested to know whether support for imported xsd in static
> > wsdl as well as xsd's that import other xsd's is implemented in CXF?
>
> It definitely should be, yea. Both wsdl4j and XmlSchema that we use for
> schema level things support those types of things just fine.
>
> Dan
>
> > By googling, we came to know "support for imported xsd in static wsdl as
> > well as xsd's that import other xsd's" is implemented in Spring WS. The
> > below links will discuss on this. Kindly have a look.
> >
> > https://jira.springsource.org/browse/SWS-281?page=com.atlassian.jira.plug
> > in .system.issuetabpanels%3Aall-tabpanel#issue-tabs
> >
> > https://jira.springsource.org/browse/SWS-346
> >
> >
> >
> >
> >
> > Thanks & Regards,
> >
> > Oracle logo.gif
> >
> > Edumudi Venkata Viswanath | Senior Consultant | +91 20 3984 7491 (O) |
> > 9665045854 (M) Oracle Financial Services Software Limited | Ambrosia,
> > Pune, India
> >
> >
> >
> > Oracle Financial Services Software Limited was formally i-flex solutions
> > limited.
--
Daniel Kulp
dk...@apache.org
http://dankulp.com/blog
Re: JiBX DataBinding: Status Update
On Wed, Aug 18, 2010 at 11:48 PM, Daniel Kulp wrote: > > Nilupa, > > It looks like you are doing a bit more work than you need to do relating to > the schema stuff. > > In: > public void initialize(ToolContext context) throws ToolException > > you should just need to do: > SchemaCollection schemas = (SchemaCollection) > context.get(ToolConstants.XML_SCHEMA_COLLECTION); > > to get the SchemaCollection that CXF has already parsed, processed, and > created. From those, you can get the DOM elements and such. Thus, you > shouldn't need to have to deal with the WSDL. > > Just a suggestion. :-) > Yes .. it makes sense to do obtain schemas as suggested since it avoid having to deal with WSDL. Thanks for the pointer and I will fix and update the repository shortly. Thanks, Nilupa > > Dan > > > > On Wednesday 18 August 2010 8:52:25 am Nilupa Bandara wrote: > > On Wed, Aug 18, 2010 at 6:13 PM, Nilupa Bandara > > > > wrote: > > > On Thu, Aug 12, 2010 at 7:43 PM, Daniel Kulp wrote: > > >> On Thursday 12 August 2010 9:46:51 am Nilupa Bandara wrote: > > >> > Hi, > > >> > > > >> > I've updated the jibx databinding code to[1] and tested the code > > >> > > >> generation > > >> > > >> > with the attached StockQuoteService.wsdl. It generates the proper > Java > > >> > classes for the schema embedded in the WSDL, skeleton code of both > > >> > > >> client > > >> > > >> > and the server and proper message exchange happens when JiBX > > >> > > >> databinding > > >> > > >> > is set without any problem. At the moment I am writing some test > cases > > >> > > >> and > > >> > > >> > javadoc comments which I'm hoping to commit in next few days. > > >> > > >> Super cool. Nice work. > > > > > > I've added some tests for testing primitive types. I will add some > tests > > > for testing complex types shortly. > > > > > > Nilupa > > > > > >> > There are couple of improvements which I would like to do > > >> > > > >> > - Support '-compile' option > > >> > > > >> > If the option is set, JiBX databinding should compile the generated > > >> > Java source files and should run the jibx-binding compiler against > > >> > the > > >> > > >> generated > > >> > > >> > class files using the generated binding.xml. Since the jibx-binding > > >> > compiler only accepts class files (not source files) I am thinking > > >> > how > > >> > > >> to > > >> > > >> > compile the generated source files. Is there a standard way of > > >> > programmatically compile source files in Java 5 platform.? (I found > > >> > some web resources illustrating how to do it in Java 6, but couldn't > > >> > find any for Java 5) If there is, then I can enhance the > > >> > JiBXDatabindingTooling > > >> > > >> to > > >> > > >> > programmatically compile the generated source files and run the > > >> > jibx-compiler against the those class files when '-compile' option > is > > >> > > >> set. > > >> > > >> Use our Compiler class: > > >> common/common/src/main/java/org/apache/cxf/common/util/Compiler.java > > >> > > >> It kind of abstracts out whether it can use the Java6 tool or it has > to > > >> fork > > >> out to javac. > > > > Done .. Now it supports the '-compile' option and the users don't have to > > run the jibx-compiler manually against the generated (user specified) > > binding.xml > > > > >> > - The implementation of getWrapperType() method in > > >> > > >> JiBXToolingDataBinding > > >> > > >> > class looks at the only one (ValueElement) of child elements of > > >> > BindingElement which contains binding/type information of generated > > >> > classes. It can certainly be improved to observe other child > elements > > >> > namely StuctElement and CollectionElement when required (see [2]). I > > >> > am looking for some schema/wsdl artifacts which will help me on that > > >> > and it would be great if anyone can point me to such. > > >> > > >> Well, if you want some very complex things, you could use the type > test > > >> wsdl > > >> in testutils: > > >> > > >> > testutils/target/generated/src/main/resources/wsdl/type_test/type_test_d > > >> oclit_soap.wsdl > > >> > > >> That's probably way overkill though. > > > > It seems that there are some problems with schema compilation when the > root > > schema in the WSDL contains several schema imports. When I ran the jibx > > schema compiler command line feeding the same schema (attached) , it > gives > > the same error[1]. I will ask about this issue in jibx-dev list and see > > whether they suggest any solution. > > > > Nilupa > > > > [1] Console output: > > > > java -cp jibx-tools.jar org.jibx.schema.codegen.CodeGen -t gen/src -w > > type_test_1.xsd > > Loaded and validated 1 specified schema(s) > > Exception in thread "main" java.lang.NullPointerException > > at org.jibx.schema.codegen.SourceBuilder.finish(SourceBuilder.java:327) > > at > org.jibx.schema.codegen.PackageHolder.generate(PackageHolder.java:211) > > at org.jibx.schema.codegen.PackageHolder.generate(PackageHolder.java:227) > > at org.jibx.sche
